Skip to content

fix(ssl): use leaf cert for validation #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TusharFA merged 1 commit into from
Apr 7, 2026
Merged

fix(ssl): use leaf cert for validation #66

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 12 additions & 18 deletions lib/src/ssl_pinning/ssl_pinning_http_client_adapter.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,22 +29,13 @@ class SslPinningHttpClientAdapter implements HttpClientAdapter {
final IOHttpClientAdapter _ioAdapter = IOHttpClientAdapter();

SslPinningHttpClientAdapter(this.config) {
// Configure the underlying adapter's HttpClient creation
_ioAdapter.createHttpClient = () {
// Create SecurityContext that doesn't trust any CA certificates by default
// This forces ALL certificates (valid or invalid) to go through badCertificateCallback
final securityContext = SecurityContext(withTrustedRoots: false);

final client = HttpClient(context: securityContext);

// CRITICAL: This callback now handles ALL certificates since we disabled trusted roots
// Every certificate must pass our fingerprint validation
client.badCertificateCallback =
(X509Certificate cert, String host, int port) {
return _validateCertificate(cert, host, port);
};

return client;
// validateCertificate fires post-handshake for ALL HTTPS connections with
// SSL_get_peer_certificate() = the leaf cert. Standard CA chain validation
// still runs (expired certs, hostname mismatches are rejected by the OS),
// and this adds SPKI fingerprint pinning on top — blocking rogue CAs and
// MITM tools regardless of what is installed in the device trust store.
_ioAdapter.validateCertificate = (cert, host, port) {
return _validateCertificate(cert, host, port);
};
}

Expand All @@ -62,8 +53,9 @@ class SslPinningHttpClientAdapter implements HttpClientAdapter {
_ioAdapter.close(force: force);
}

/// Validate SSL certificate against pinned fingerprints
bool _validateCertificate(X509Certificate cert, String host, int port) {
/// Validate SSL certificate against pinned fingerprints.
/// cert is the leaf certificate provided by validateCertificate.
bool _validateCertificate(X509Certificate? cert, String host, int port) {
if (!config.enabled) {
return true;
}
Expand All @@ -79,6 +71,8 @@ class SslPinningHttpClientAdapter implements HttpClientAdapter {
}
}

if (cert == null) return false;

// Domain is pinned - validate certificate fingerprint
final expectedFingerprints = config.getFingerprintsForDomain(host);

Expand Down
Loading